All environment variables are defined, maintained, and encrypted via git-secret. Because they are encrypted, sensitive information (e.g. aws keys, database uris, etc) can be defined and committed to the repository. It's all centralized in one place.
To get up and running, follow these steps:
- Install git-secret:
brew install git-secret - If you haven't already, download GPG Suite.
- Create a GPG key and upload it to the key server. This can be done via the GPG Keychain app.
- Assuming you've been granted access by your project's dev lead, you can now run
git secret revealto decrypt all added.env.*files specified for the project. - After making changes to an
.env.*file, you can rungit secret hideto re-encrypt and save your changes. These changes are now safe to push to the repository.
By convention, HAUS' continuous integration server will match git branch name to the appropriate remote environment. For example, when pushing to a git branch named staging, our CI server will respect all environment variables set inside the .env.staging file. So the convention is .env.{BRANCH_NAME}.
Refer to git-secret.io for more detailed instructions and usage information.